On 10 May 2018, the Network and Information Systems Regulations 2018 (NISR) came into force in the UK. NISR stems from the Network Information Systems Directive 2016 of the EU, which has been covered by this blog previously. Relatedly, on 25 April 2018, the UK government’s Department for Digital, Culture, Media and Sport (DCMS) published the Cyber Security Breaches Survey 2018. This survey details business and charity action on cybersecurity and the impact of cyberattacks.

Summary of NISR

These regulations outline measures to protect critical IT systems in economic sectors like energy, banking, transport and health. NISR applies to “operators of essential services” (OESs) and “digital service providers” (DSPs). It focuses on network and systems security and interruption to services.

The UK government has the power to designate which organisations are OEPs, and therefore within scope of the new laws – providing certain criteria is met. DSPs are directly subject to the new regulations, although micro and small businesses are exempt. OESs and DSPs are required to keep their networks and information secure, and to notify competent authorities of security incidents. Competent authorities vary by sector and include the Information Commissioner’s Office, Ofcom and various regulatory bodies.

NISR contains a tiered system of fines for breaches, dependent on the severity of their consequences:

Up to £3.4 million where a security incident has or could cause a reduction in the provision of services for a significant period of time

Up to £8.5 million where services have or could be disrupted for significant period of time

Up to £17 million for serious cases where a security incident has or could cause “an immediate threat to life or significant adverse impact on the United Kingdom economy.

Comment

NISR appears to have been overshadowed by the General Data Protection Regulation, which comes into force on 25 May 2018. However, NISR should be closely examined by any potential OES or DSP, especially given the notification obligations and potentially large fines. The DCMS provided important clarity that operators who assess risks adequately, take appropriate security measures and engage with regulations can avoid fines, which should only be used as a last resort.

Cyber Security Breaches Survey 2018

The messaging around the survey is that UK businesses need to do more to protect themselves against cybercrime. The statistics in the survey show that 43 per cent of business and 19 per cent of charities suffered a cyber breach or attack in the past 12 months. For large businesses, the figure rises to 72 per cent.

Common breaches involve fraudulent emails, scammers impersonating the organisation, viruses, ransomware and malware. The impact of breaches and attack can range from temporary or permanent file loss, to reduced website functionality, to theft of money, assets and intellectual property. The survey urges businesses to consider their “organisational cultures”, seek guidance, engage in staff training and deploy cybersecurity policies, and undertake audits and monitoring regarding the efficacy of such policies.

The survey forms part of the UK’s broader National Cyber Security Programme, linking in with the introduction of NISR, the GDPR coming into force on 25 May 2018 and continued government investment in this area.

On 13 April 2018, the High Court, in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), ruled against Google, in favour of two businessmen advocating for the right to be forgotten. You can find the full judgment here, but in this blog we explore the reasoning behind the Court’s decision.

Right to be forgotten/right to erasure

The Court of Justice of the EU confirmed the right to be forgotten as an existing right under data protection laws, in Google Spain SL v Agencia Espanola de Protección de Datos Case of 2014: 317. The right to be forgotten is made explicit in the EU General Data Protection Regulation 2016/679 (GDPR) text. Essentially, in the GDPR the right is an enhanced right of erasure. The right is not absolute, which means that a controller does not need to comply with the request if there is a legitimate reason for continuing to process the personal data.

Case summary

Two separate businessmen brought cases, which were consolidated. Each case centred on the reporting of business-related criminal convictions that were spent and over a decade old:

NT1 was convicted of conspiracy to commit false accounting and tax evasion; and

NT2 pleaded guilty to conspiracy to tap phones and hack computers of environmental activists who had made threats against him and his business.

In anticipation of the implementation of the Trade Secrets Directive, the topic of know-how protection has been widely discussed. Dr Anette Gärtner, along with Sabrina Gossler, has written an article which explores the current legal situation in Germany, analyses the relevant provisions of the Directive and explains the immediate next steps for companies operating in Germany. Key messages to take from the article include the need for companies to take objective measures to safeguard confidentiality and the introduction of the Confidentiality Club, which will lead to an increase in German trade secret litigation. Please refer to the full article by Dr Anette Gärtner and Sabrina Gossler in the May issue of Mitteilungen der dt. Patentanwälte for further commentary.

On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data.

Technology Law Dispatch looked at the WP29’s draft guidelines on consent earlier this year. This article examines the differences between the draft and final guidelines.

Conditions for valid consent – freely given

Under the GDPR, consent must be freely given, specific, informed and unambiguous. Where a controller wants to process personal data for additional purposes other than the provision of a requested service, individuals should be given the option to separately consent to or reject such processing.

WP29 states that consent will not be freely given where a controller argues that a choice exists between: (1) its service that include processing for additional purposes; and (2) an equivalent service offered by a different controller.

WP29 states that an individual’s freedom of choice is dependent on: (1) the practices of market competitors; and (2) whether a data subject finds other controllers’ services to be genuinely equivalent. Such an approach would imply an obligation for controllers to monitor market developments to ensure continued validity of consent for their processing activities, as competitors could always alter their services. This would not be a realistic or pragmatic approach, and WP29 has now rejected it.

The Article 29 Working Party (WP29) adopted, on 11 April 2018, finalized guidelines on transparency (the Guidelines) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), following its public consultation.

The updated guidelines link the requirement for information to be intelligible, using plain and clear language, and accountable. The guidelines now state that an “accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.” This includes, for example, assuming working professionals have a higher understanding of certain issues than children or non-specialists. In other words, the data controller is expected to customize its notices and information as appropriate to the applicable audience. The final guidelines also suggest mechanisms by which controllers can test their interfaces, notices and policies for intelligibility and transparency – including the use of industry groups, consumer advocacy groups, readability tests and regulatory bodies.

On March 30, 2018, a D.C. federal district court denied a motion to dismiss an ACLU case filed against the government to challenge the constitutionality of the Computer Fraud and Abuse Act (CFAA), which makes it a federal crime to access a computer in a manner that “exceeds authorized access.” Sandvig v. Sessions, No. 1:16-cv-01368, Dkt. 24 (D.D.C. Mar. 30, 2018). The court held that the plaintiffs could proceed with their claim that the Free Speech and Free Press Clauses of the First Amendment, as applied, bar prosecution under the CFAA because it would restrict the plaintiffs’ ability to report on publicly available information, and even information available only following user registration on a site is generally available to the public.

The particular facts of the Sandvig case are unsurprisingly aimed at highlighting a potentially extreme application of the CFAA. The named plaintiffs are four professors and a media organization investigating whether automated decision-making and ad targeting technologies employed by various websites would result in potentially discriminatory practices against protected classes. For example, they want to analyze whether a real estate or employment website would discriminate against a user based on race. To perform the necessary analysis, they intend to use web scraping, bots, fake accounts (“sock puppets”) and other data collection techniques to conduct outcomes-based audit testing of websites and uncover such practices. These activities are typically prohibited by websites’ terms of service (TOS) and therefore unauthorized activity.

The consultation guidelines would require a certification body under the GDPR to be accredited by either the competent supervisory authority or the national accreditation body, or both. The guidelines aim to establish a harmonised baseline for certification.

General overview

In brief, the guidelines:

set out the purpose of accreditation and include a list of definitions;

explain routes to accredit certification bodies;

give a framework for additional accreditation requirements, when accreditation is handled on the national level;

stress they are not a procedural manual, or a new technical standard;

highlight that the final form document will include an annex outlining a framework for identifying accreditation criteria.

In November 2017, the House of Commons Committee on Exiting the European Union (the Committee) published impact assessment reports of Brexit on various UK business sectors. The Report on the Technology (ICT) Sector (the Report) is a mix of qualitative and quantitative analysis. For each business sector, the Report includes: (i) a description of the sector; (ii) the current EU regulatory regime in which the sector operates; and (iii) an explanation of the frameworks governing how trade is facilitated between countries in the sector. Information provided by the government to the Committee about specific sector views has been withheld by the Committee.

Sector overview

The UK digital sector is vast. It covers digital goods, digital services and digitally enabled transactions of goods and services. It includes the following services and products: (i) audio-visual; (ii) e-commerce; (iii) telecommunications; (iv) data; (v) emerging industries, such as artificial intelligence; (vi) FinTech (dealt with in a separate report); (vii) the Internet of Things; and (viii) cybersecurity. Though London is a prominent hub, digital companies are spread across the UK. Several other cities have highly ranked digital clusters.

The Report highlights:

the extent of the UK’s investment in the digital sector;

how tech companies are investing in the UK since the Brexit referendum; and

information about the value added by the ICT industry, including its contribution to national economy statistics, employment, national balance of trade and international trade.

Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors

On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and 2014, but were not disclosed until 2016.[1] The 2014 incident was attributed to Russian hackers by the U.S. government in March 2017.[2]

The SEC’s administrative proceeding order pointed to Altaba’s delayed disclosure of the 2013–2014 security incident as well as the company’s public filing of multiple reports with the SEC, which commented on the risks and consequences of a breach in general, but did not notify investors that such a threat had already been realized in 2013 and 2014.[3] Unlike previous high-profile fines for improper incident response arising from failures to disclose to affected customers or subjects of breached data, the $35 million fine levied against Altaba is the first of its kind to focus on disclosure to investors of a public company that has suffered a breach, and should encourage companies to direct commensurate focus to their data breach response plans to meet responsibilities to shareholders.

Arizona and its Attorney General’s office have emerged as key players in the effort to prioritize data security on the national stage. Since his inauguration in 2015, Arizona Attorney General Mark Brnovich has struck a balance between supporting innovation and protecting Arizonans’ privacy rights. With the support of Governor Doug Ducey, Arizona is taking active steps to broaden the scope of state privacy protection initiatives.

As the current Chair of the Conference of Western Attorneys General (CWAG), AG Brnovich will host CWAG’s 2018 Chair Initiative in Scottsdale, Arizona on May 3 and 4, focusing specifically on data privacy, cybersecurity, and digital piracy. The meeting will bring together AGs from around the country as well as thought leaders and key stakeholders in the private sector to tackle new horizons on issues such as breach notification, the European Union’s data protection regulations, national security, and FinTech. To read more about AG Brnovich’s 2018 Chair Initiative, and his take on how attorneys generals are tackling privacy and data security issues, check out Reed Smith Partner Divonne Smoyer and Associate Kimberly Chow’s recent Q&A with AG Brnovich on the website of the International Association of Privacy Professionals.